User client authentication
DigiCert certificate profile
Microsoft device configuration profile
In Microsoft Endpoint Manager admin center, select Devices, and then select Configuration profiles, and then Create profile.
Configure the desired platform of the devices that will receive the profile and select SCEP Certificate from the drop-down or from the Templates list.
For Configuration Settings, configure settings and values to match your corresponding DigiCert certificate profile.
Setting | Comments |
---|---|
Certificate type: User | Corresponds to the DigiCert profile type and Device Seat type. Depending on the platform OS behavior, this determines the storage location of the key/certificate on the target device. |
Subject name format | Include attributes and values that are sourced from the SCEP request by the DigiCert ONE certificate profile. |
Subject alternative name | Include attributes and values that are sourced from the SCEP request by the DigiCert ONE certificate profile. |
Certificate validity period | Match with the DigiCert ONE certificate profile configuration. |
Key storage provider (KSP) | Only determines the target platform behavior. |
Key usage | The certificate issued by DigiCert will contain the Key usage (typically, Digital Signature and Key Encipherment) as set in the DigiCert ONE certificate profile regardless of the Microsoft configuration setting. However, this setting may also influence how the target device OS enforces key flag settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the DigiCert ONE certificate profile configuration. |
Key size | Match with the DigiCert ONE certificate profile configuration. |
Hash algorithm | Select the strongest level of security that the connecting devices support. |
Root certificate | The CA certificate that issues the end-entity certificate, as configured in the DigiCert ONE certificate profile. If you are using a multi-tier CA certificate hierarchy then you should select the Issuer CA certificate file. See Intune Trusted certificate profile. |
Extended key usage | The certificate issued by DigiCert will contain the Extended key usage as set in the DigiCert Certificate Profile regardless of Microsoft configuration setting. However, this setting may also influence how the target platform OS enforces key flags settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the DigiCert Certificate Profile configuration. |
Renewal threshold (%) | This value should be tuned to match the Renewal enrollment setting in the DigiCert certificate profile. |
SCEP Server URL | For proper formatting refer to Table 2 SCEP URL format. |